Q&A: Best Practices for Access Management

Security administrators face a daunting task of keeping access to enterprise resources current and accurate. Employees come and go and new or updated applications are implemented that pose a challenge to even the most talented access managers.

Part of the problem may be the products or technologies that were designed to solve the problem, such as Active Directory. We examine the bigger picture -- the proper use of groups and roles and the best practices administrators can follow -- with the senior product manager of Quest Software, Bob Bobel. Bob is responsible for provisioning and access managment products at Quest.

Enterprise Strategies: What are the challenges facing security managers responsible for access management?

Bob Bobel: The biggest challenge I see is around control of access management -- authorization in particular. I am amazed that even today the seemingly simple question Where does Jane have access in my environment? still cannot be answered easily and quickly. This is difficult because the sheer volume and distributed nature of applying access directly to resources or within applications make finding and analyzing that access virtually impossible. There are some tools on the market today that claim they do this; the catch with some of these tools is that you have to use the tool to grant the access to the application or data from the start. For many organizations this simply does not work because they have been relying on individual platforms’ native capabilities to assign access to resources -- in some cases for decades.

How do groups help solve this problem?

Groups certainly help in that they save time by allowing an administrator to identify a collection of users needing similar access to a specific resource. A group can be created and assigned access on the resource, then as additional users need access, the new users are simply granted membership in the appropriate group. Often these groups map to the organization’s business structure. For example I could authorize the group North America Engineers to modify a set of drawing files.

Unfortunately, groups also contribute significantly to overhead associated with access management. Because groups are the primary authorization control on systems such as Microsoft Windows and most other platforms, they are the most widely used method for controlling access. Over time, administration and maintenance over an increasing number of groups becomes a serious burden. Groups also fall victim to the distributed nature of today’s access, and because groups can be granted membership in other groups, determining where a group has been used to grant access is just as difficult as asking where has a user been granted explicit access.

Do roles make access administration easier?

The short answer is no, but roles can provide an additional degree of control over groups. While the terms group and roles are sometimes confused, most experts point out they are technically different. Essentially both are used to identify a collection of users to which access will be assigned. To be “role,” the software being used should follow the RBAC (role-based access control) standard set forth by the American National Standards Institute that defines additional controls beyond what groups would provide.

To further complicate things, individual applications often use the term role to identify a typical set of permissions that it believes should be granted to a user of their product. Many organizations attempt to move from group-based access control to role-based access control, then find the group proliferation they struggled with is only compounded by role proliferation.

Given these problems, how is IT coping? What techniques are they using to keep abreast of changes?

Unfortunately, many organizations are unable to cope with the problem. To answer the question Where does Jane have access?, most IT groups will use a security scanning tool that tries to retrieve security information throughout the network, then the IT staff attempts to analyze that data.

The analogy that best describes the challenge these tools face is that of finding specific books in a library. For example, imagine you were asked to find all books related to Ernest Hemingway in your local library. Without the use of the card catalog, searching would begin with the first book on the first shelf, followed by examining each book on every shelf. Searching ends after the last book on the last shelf; only in this way would you be certain a book was not overlooked.

The obvious drawback to this type of security scanning is the time it takes to complete a complete scan. A small business may be able to complete a scan in just a few hours, but medium and large organizations that may also be geographically distributed find it takes days to complete a scan -- if the scan can be completed at all.

Without the ability to quickly view where access has been granted, service-level agreements between IT and business users are tough to meet. These delays also mean that data cannot be used for management functions such as cleaning up a terminated employee’s access or duplicating the access of an existing employee for a new hire. Possibly the biggest danger is that during the time the scan takes, the underlying security can change, making the access information worthless.

What best practices can you recommend IT follow when it comes to managing user access to resources? Are there “right” ways to define or handle groups and roles?

It is common to see naming conventions used to make it easier to understand the purpose of a group or role, but naming conventions only help a little. Distributing responsibility for access management to the application or data owner, automating group management, and treating access management as a lifecycle are three additional practices that will help bring access management under control.

By distributing responsibility for access management, I mean make the application or data owner responsible for management and review of the security of their own resource. Tools such as self-service group management that provide attestation (access certification) can safely accomplish this and, in many cases, simultaneously reduce the IT workload.

Automation with a tool or with scripting can be employed to create and populate many of the groups that are commonly needed to represent the organization’s structure. For example, create a group of users for each office location, business unit, or city of operation for your organization.

Access lifecycle management (ALM) is a relatively new term that closely parallels identity lifecycle management in that managing access to a resource has a start, a middle, and an end. The beginning of the access lifecycle management is when a new application or some data needs to be accessed and security is set on that resource. The middle is where users are granted access, the resource owner is asked to attest to the access that has been granted, and auditors may need to review the access. The end of ALM occurs when the application or data is no longer required and the security for granting access is removed.

Where do you see access management heading?

There are several new technologies and standards that are emerging that look promising. Policy based access control using standard protocols such as XACML are designed to move access control from the decentralized model we see today to a centralized model. Centralizing access management has major benefits in that there is one repository to manage, analyze, and audit. The challenge is that applications will have to be built or changed to support these technologies. Many developers I've talked to believe externalizing access decisions actually simplifies the way their programs would be written, allowing them to get to market faster and make them simpler to maintain. Claims-based access control is another area vendors are investing.

Claims-based access control fits the existing decentralized model where access control is still embedded within each individual application, but the way a user is assigned access is more flexible, based on groups/roles and other types of data (such as city in which they work, their office hours etc.).

What products or services does Quest Software offer for access management?

Quest provides several solutions specifically targeted at simplifying access management. In particular, Quest Access Manager provides a real-time security map and management interface that displays where a user or group has been granted access on your network, at which point the security can be managed or detailed in a report.